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[57] ABSTRACT 

A cryptographic certificate attesting to the authenticity 
of original document elements, such as time of creation, 
content, or source, will lose its value when the crypto- 
graphic function underlying the certifying scheme is 
compromised. The present invention provides a means 
for extending the reliability of such a certificate by 
subjecting, prior to any such compromise, a combina- 
tion of the original certificate and the document digital 
representation from which that certificate was derived 
to a scheme based on a different and ostensibly less 
vulnerable function. The new certificate resulting from 
this procedure extends the validity of the original au- 
thenticity by implacably incorporating the original cer- 
tificate at a time when that certificate could only have 
been derived by legitimate means. 

20 Claims, 2 Drawing Sheets 
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procedure, such as provided by the present invention, 

METHOD OF liJil t!M)ING THE VALIDITY OF A to ensure the continuity of original certificate validity. 

CRYPTOGRAPHIC CERTIFICATE In essence, this invention entails generating from the 

original document a new document certificate during 

BACKGROUND OF THE mVENTTON 5 the viable term of the original certification scheme, such 

This invention relates to methods for certifying or ^ ^ based upon a cryptographic signature key 

validating the existence or occurrence of a recorded procedure or a time-stamping procedure. This new 

document or event, particularly methods which rely certification process comprises applying a different 

upon cryptographic assumptions to establish the basis cryptographic function, e.g., a time-stamping proce- 

for such a certification or validation. More specifically, dure, to a combination including the original certificate 

the invention relates to a method for reconfirming an and the original digital document from which the certif- 

original certificate m order to maintaiTi its validity for a icate was derived. Such a different function is prefera- 

significant period of tnne beyond the probable compro- bly a new and presumably more reliable algorithm or 

mise of an underlying cryptographic assumption or step procedure, or at least one upon which the original certi- 

in the original certification procedure. fication did not rely. The resulting certificate, generated 

Time-stamping procedures described in U.S. Pat by means of a function or procedure having a significant 
Nos. 5,136,646 and 5,136,647 are representative of a expected remaining term of reliability, now implacably 
type of certification for which the present method is embodies the original certificate elements at a time prior 
ad£^ted. Such schemes for setting a reliable time of to any likely compromise of the original certification 
creation of a document, or providing indisputable evi- 20 faction. Since these original elements have as yet been 
dence against the alteration of a document, generally exposed to no threat of compromise and are now bound 
digital computer data in alphanumeric, pictorial, video, by the new time stamp within the protective cloak of a 
or audio form, depend upon the assumption that tiiere fgj ^^0^^ relatively invuhierable certification function, 
exist cryptographic functions which, when appHol to a ^^eir original veracity has been extended for at least the 
digital representation of such a document, defy any 25 ^^^^^^ term of this new fimction. 
manner of manipulation which might permit undetect- 
able alterations or falsifications of the original state of BRIEF DESCRIPTION OF THE DRAWING 
document elements. The fimctional procedures gener- invention will be described with refer- 
a^y exemplified m those disclosures typically provide ^^^^ accompanying drawing of which: 
this required property, smce they generate umque cer- 30 presents a flow chart of stens embodvine a 
tificate statements which essentiaUy can not be dupli- ^ , ^ presents a now cnart or steps emooaymg a 
catedotiierthanfromanidenticaldocumentrepresenV general procedure miplementmg the certificate exten- 
tion. This security arises from the fact that the deriva- ^lon process of the mvention; and 
tion or reconstruction of tiiese fimctions from the prod- ^ ^'^^ ^ embodymg a 
ucts of their appUcation is computationally infeasible. 35 nidimentery time-stampmg procedure miplementmg 
Ultimate achievement of such derivations must be antic- certificate extension process of the mvention. 
ipated, however, since a given function or procedure DESCRIPTION OF THE INVENTION 
may be fatally flawed or, as is becoming more probable, 

advancements in computer technology and algorithmic ^® extension procedure of the present mvention is 
techniques are likely to make more readily available a 40 applicable to any manner of certificate digitally derived 
level of calculating power which enables such deriva- cryptographic means, For instance, tiie process may 
tion. ^sed to support the veracity of a document transmit- 
With compromise of a step or algorithm in a proce- ^ originally certified with a cryptographic key signa- 
dural certification function, the possibility arises of gen- algorithm or function beyond a time when that 
crating duplicate certificates or parts thereof &x>m dif- 45 function might be compromised, whether due to misap- 
ferent digital representations, i.e., creating "collisions", propriation of a secret key or to advances in computer 
and thereby defeating the previously reliable basis for a technology and algorithmic techniques. A digital time- 
certification scheme. Substitution of a newer and pre- stamp certificate could similarly benefit by application 
sumably less vulnerable function in the certification cf the invention to prevent its coming into question 
procedure may prevent for some finite time the com- 50 after compromise of the scheme or function underlying 
promise of future certificates, but the value of past cer- the time-stamping procedure. In general, the process of 
tificates in establishing original creation dates, for exam- the invention is useful to ensure the continued viability 
pie, is all but lost The present mvention, however, of any certificate produced by a digital scheme or func- 
provides a means for bridging the technological gap and tion which is capable of compromise, 
extending into the era of a newer function or procedure 55 The steps comprising a basic application of the certifi- 
the validity of the original certification. cate extension process are shown in FIG. 1. There, 
oYT*« «v -T-rrw ti^tt 7t?iltt^^xt iDxtiBl stcps 11, 13 BTC intended to depict any certifica- 
SUMMARY OF THE INVENTION tion procedure, such as a si^ture scheme or time- 
Historically, there has usually been an overlap period stamping process, in which a digital document, Di, e.g., 
between the time spans of reliability of an established 60 a body of text or alphanumeric representations, a pic- 
cryptographic function and one which has been newly ture, an audio recording, or the like, is subjected to a 
implemented with improved resistance to compromise. cryptographic scheme or procedure, generally a "fiinc- 
As computational power increases and algorithmic tion", Fi, to produce a ceitificate, Ci, which will serve 
techniques improve, the evolution and phasing of cryp- later as evidence of the original existence and substance 
tographic certification procedures or functions, for 65 of Di. The value of certificate, Ci, will persist, how- 
example, can generally be foreseen. It is possible, there- ever, only until a compromise of the certification func- 
fore, to anticipate the final stages of reliability provided tion, as a whole or in a component step or algorithm, 
by an existing certification scheme and to initiate a since, as a result of such a compromise, the certificate 



04/09/2004, EAST version: 1.4.1 



5,373,561 

3 4 

might thereafter be duplicated by an imposter or digital representation of a time-receipted document to 
through the use of a counterfeit document. produce an inimitable certificate, usually in the form of 

The basic steps of the invention are therefore effected a cryptic string of alphanumeric characters, which can 
prior to any such compromise, as projected, for exam- only be generated by such an application of that same 
pie, on the basis of the current state of computational 5 function to exactly that digital representation. The addi- 
technology, and comprise combining, at IS, the original tional characteristic property of the one-way function is 
document, D, with the original certificate, Cj, and ap- possessing such mathematical complexity as to 

plymg to that combination, at 17, a different and pre- discourage the computational derivation or reconstruc- 
sumably more secure scheme or function to obtain a ^^^^ original digital representation from the resul- 

new certificate, C2, which wiU later att^t to the vahd- 10 certificate, as weU as to discourage the generation 
ity of ongmal certificate, Ci. at a tmie wh^ its general- ^ ^^in certificate from a different representation, 
mg fmiction, Fi, was as yet micompronused and secure. ^rtification procedure utilizing such a one- 

The essential element of this process resides m the apph- ^atmpic^^ ^ ^^^-x^n '>«*.*«^c 

cation of the new certification fimction to the conjure- Z^^^^^ ^^^onthm is represented m FIG 2 at steps 
tion of origmal docmnent, D, with original certificate, 15 21-23. Hiere, digital doc^m^U Uu of step 21 is identi- 
C This step avoids the error inherent in the naive and ^^^d . e.g.. annotated with author data, to yield a receipt, 
ineffectual procedure of merely recertifying either the Ri. that, in a rudimentary procedure which may be 
original certificate or the original document alone; simply stated as: 
namely, that of perpetuating a compromise which re- _ m m 

fleets direcUy upon the veracity of the original docu- 20 Ci=Fi(Hi(Ri)) 

™ As ^'example, one might consider appUcation of tiie ^ reduced at step 23 to a certMcate, Ci, by 

present invention to extend tiie vaHd lifetime of a digi- appUcation of a time-stampmg fimction, Fi, compnsmg 
tally signed document where, in keeping with usual a current hash algonthm, Hi. 

practices, a digital signature, o-, is derived by appUca- ^5 As a result of computational or algorithmic develop- 
tion of some cryptographic signature scheme to a docu- ments over time, or in the event of a flaw in the fimction 
ment, D. To avoid invalidation of such a signed docu- itself, hash, Hi, may become compromised with the 
ment by subsequent compromise of the scheme, for result that a falsified receipt, Rjc, could produce a dupli- 
instance, due to misappropriation of a user's private key, cate, or "collision", certificate, Ci. The veracity of 
the pre-compromise generation of a certificate, C, by original certificate, Cj, and its value as probative evi- 
application of a time-stamp function, T, to a combina- dence of the contents of document, D, and other ele- 
tion of the signature and the document: ments of receipt, Ri, would thus be destroyed, since 

there would no longer exist a singular certificate cipher 
c=T(cr,D) covld be traced solely to the original document and 

_ . ^ ^, . ^ 35 its once-unique receipt, Ri, 

will provide conlinumg proof that the signature was ^^^^^ ^j^^ ^yj^^^ notdenigrate the worth 
created prior to die compromise, Le. at a time when certificate back to the time of its creation, 

only a legitmiate user could have P«>di^ it Su^^^^^ however, but only for the period subsequent to the 
f.^'^v^^'fT^i also be used to estabhsh ongmal au- Tlie value of ?he certificat^ during its 

tharehip of tiie document j. ^ preserved and extended into the 

The invention is broadly useful, as well, as a means of ^ 7Z 7^ TTt r^v 1 * * I- • ♦ 

extending or "renewing** time-sta^p ceiSficates. gener- ^^ture if means were available to hnk mto a tmie pnor to 
^FofZ^^^ schJe for certifykg an such comprojn^e with a trustworthy scheme for ^^^^^^ 
evLt. such as time-stamping the creation of a docu- mg a new certificate at le^^ 
ment. comprises estabUshing a digital representation of the mitial certificate. The problem, tiierefore, has 

tiie document content, adding data denoting current 45 been to "recertify^ tiie original certificate m a manner 
time, and permanentiy fixing tiie resulting digital state- which would verify die facts that had been securely 
ment against subsequent revision, aU under trustwortiiy bound into that certificate until tiie first colhsion oc- 
circumstances, to yield a certificate which will provide curred. 

irrefiitable evidence of the event at a later time. Means A naive solution to this problem would appear to be 
for ensuring tiie original veracity of the certificate have 50 just tioiat simple; that is, to recertify tiie original certifi- 
been described in our earlier-noted patent specifications cate. for example by applying a new and more robust 
as including use of trusted outside agencies, arbitrary hash. H2. The fallacy in this approach becomes appar- 
selection of agencies, linking of certificates in temporal ent, however, when one considers that after the in- 
chains, and similar practices which remove substan- stance of a collision the condition exists where: 
tially all influence a document author might have upon 55 
the certification process. Other methods of establishing Hi(Ri)=Ci =Hi(Rje). 

the authenticity of original certification procedures 

might also include private and public key cryptographic The hashing of certificate, Ci, with a new function, Hz, 
communications. would therefore not produce a renewal certificate ci- 

Common to certification procedures is the applica- 60 pher, C2, unique only to receipt, Ri, since: 
tion of some manner of cryptographic function by 

which the document, related identifying data, or digital C2=H2(Ci)«Hi(Hi(Ri))=H2(Hi(Rjt)) 
representations of these elements may be algorithmi- 

cally reduced to a unique statement or cipher which can and, thus, there is no reliable distinction between those 
not feasibly be duplicated from different representative 65 resulting certificates. 

elements by computational means. Any of the general The present invention, however, does provide such a 
class of one-way hashing algorithms, for example, may unique certificate which serves to extend the veracity of 
be used in such a procedure or function applied to a an original certificate beyond subsequent compromise 
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of the original function or algorithnL This is accom- 
plished, as in the representative of FIG. 2, by combin- and with additional data representing a prior transac- 
ing, at step 25, the original certificate, Ci, with the tion formed the basic statement to which the function 
original document, Di, from which it was generated comprising MD4 hash algorithm. Hi, was applied to 
and which b to be later proven, and applying to that 5 yield the unique cipher: 
composite statement, at step 27, a different certification 

ftmction, F2, e.g., comprising a new hashing algorithm^ 46f7d75f0ft)ea95c96fc38472aa28cal 
H2, to yield the extended certificate: 

which is held by the author as a time-stamp certificate, 

C2=F2(H2(CiJ»i))=F2(H2(Hi(RO^i)). 10 Q. 

In the event of an anticipated compromise of the 
The final represented step, 29, in which it is established MD4 hash function algoritlun, the procedure of this 
that the new certificate, C2, was created during the invention would be initiated utilizing a difiTerent time- 
valid term of original certificate, Ci, Le., prior to any stamping certification function comprising, for exam- 
compromise of the original certification fimction, may IS pie, a new algorithm, H2, such as the MDS hashing 
be effected along with step 27, for example in the course function described by Rivest and Dusse, 'The MDS 
of applying an earlier-described time-stamping proce- Message Digest Algorithm", Network Working Group, 
dures, to generate certificate, C2. Alternatively, the Internet Draft, RSA Data Security, Inc. (July 1991); 
effective time of the new certificate, C2, may be estab- RFC 1321, Internet Activities Board (April 1992). 
lished simply by publication, e.g., in a widdy-dis- ?0 As an initial step in this procedure, the document 
tributed newspaper, either alone or as incorporated into representation, Di, to be proven at a later time is com- 
a derivative representation similar to the "authentica- bined with original certificate, Ci, either in original 
tion tree" noted by D. E. R. Denning in Cryptography digital form or, preferably, as the convenient, con- 
and Data Security, pp. 170-171, Addison-Wesley (1982). densed output of hash fimction, H2, viz.: 

In the ultimate utilization of this new certificate, C2, 

to prove the original document, Dj, by recomputing .D9776652JcDAi2.M5i9iCAD7 

certificate, C2, from its dements, such proof will fail . 

unless original document, Di, rather than a bogus docu- formmg the combination statement, (Ci, Di), as: 

ment, Dx, is an included element. Even though a colli- ^r«j-rc*r«u . 

sion due to compromised fimction. Hi, may ^ at the 30 46nd75fDfbca95c96fc38472aa28cai. 

time of using certificate, C2, in a proof, the as yet invul- .D9776652kDAi2.M5i9iCAD7. 
nerable state of hash function, H2, ensmres against any 

collision with the expanded statement, i.e., one compris- Applying to this statement hashing algorithm, H2, com- 

mg document dement, Di, which is used to generate pnsing the new fimction, F2, produces: 
that new certificate. During a normal proofing process, 

the original certificate, Ci, will also be recomputed 656h//PDDM«)M9/qDDt85F56 
using the document in question. Unless the document 

then employed to recompute original certificate, Ci, which in a time-stamping procedure, for instance, may 

matches predsely the document similarly employed be transmitted to an outside agency for the inclusion of 

with new certificate, C2, the proof will not be realized. ^ current time data and authenticating cryptographic 

A false document, Dx, therefore can not be substituted signature to yield extended certificate, €2- As earlier 

surreptitiously for an original document as long as the noted, the effective date of a new certificate, C2, may 

applied hash function, H2, remains uncompromised, otherwise be established, such as in other time-stamping 

since for any document, Djc, which one could feasibly schemes or by public display or notoriety, 

compute: ' A variation on the foregoing embodiment provides 

an even more reliable practice in that it substantially 

H2(CiJ3i>?tH2(Ci,Dj:). eliminates the uncertainties associated with estimating 

the onset of a certification function compromise. This is 

When advancements in computation portend a com- accomplished by using a plurality of different crypto- 

promise situation, yet a different time-stamp function, =0 graphic fimctions, e.g., Fa and F*, to derive a compound 

e.g., one utilizing algonthm, H3, with longer life expec- original certificate, Ca: 
tancy may be employed in the same procedure to again 

extend the involved certificate. Co=Fd(Di),FA(Di). 

As an example of the implementation of the present 
mvention, one might consider first an initial certificate which will remain valid even after the confirmed com- 
prepared in the manner described in our earlier U.S. promise of one of those function due to the likely con- 
Pat. No. S, 136,646 employing the one-way hash algo- tinned viability of the other. Thus a period of security 
rithm specified by R. L. Rivest in 'The MD4 Message continues during which one may select a new certifica- 
Digest Algorithm", Advances in Cryptology — Crypro tion function, F^ to be employed in the extension of 
'90, Lecture Notes in Computer Sdence, Vol. 537 (ed. ^ certificate, Ca as: 
A. J. Menezes et al.), pp. 303-311, Springer-Verlag 

(Berlin, 1991). In that earUer example, elements of the c^=F6(Ca. Dj), Fc(Ca. Di). 
recdpt, Ri, identifying the quotation "document" ap- 
peared as: Subsequent compromise of any current cryptographic 

65 function can be remedied in like manner. 

1328, 194«28GMT06MAR91, d34» It is anticipated that other variants will become ap- 
parent to the skilled artisan in the light of the foregoing 

ee2eDea60enOcb62lc4fb3f8dc34c7 disclosure, and such embodiments are likewise consid- 
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ered to be encompassed within the scope of the inven- 
tion defined by the appended claims. 
What is claimed is: 

1. A method of extending the validity of a first cryp- 
tographic certificate derived by applying a first crypto- 5 
graphic fiinction to a digital document, which method 
comprises: 

a) combining a digital representation of said docu- 
ment with a digital representation of said certdfi- 
cate; and 

b) applying to the resulting combination during the 
valid term of said first certificate a diff^erent crypto- 
graphic function to thereby generate a second cer- 
tificate attesting to the then current validity of said ^ ^ 
first certificate. 

2. A method according to claim 1 wherein said first 
function is a cryptographic signature scheme. 

3. A method according to claim 2 wherein said differ- 
ent function is a time-stamping procedure. 20 

4. A method according to claim 3 wherein said differ- 
ent function comprises a one-way h as hi ng algorithm. 

5. A method according to claim 1 wherein said first 
function is a time-stamping procedure. 

6. A method according to claim 5 wherein said first 25 
function comprises a one-way hashing algorithm. 

7. A method according to claim 5 wherein said differ- 
ent function is a time-stamping procedure. 

8. A method according to claim 7 wherein said first 
function comprises a first one-way hashing algorithm 30 
and said different function comprises a different one- 
way hashing algorithm. 

9. A method according to claim 1 wherein said differ- 
ent function is a time-stamping procedure. 

10. A method of certifying a digital representation of 35 
a document which comprises: 

a) generating a first certificate by applying to said 
digital representation at least a first cryptographic 
function; 

b) combining said first certificate with said digital 40 
representation; and 



c) generating a second certificate by applying to ^d 
combination at least one cryptographic function 
which is different from said first function. 

11. A method according to claim 10 wherein said first 
function is a cryptographic signature scheme. 

12. A method according to claim 11 wherem said 
different function is a time-stamping procedure. 

13. A method according to claim 12 wherein said 
different function comprises a one-way hashing algo- 
rithm. 

14. A method according to claim 10 wherein said first 
function is a time-stamping procedure. 

15. A method according to claim 14 wherein said first 
function comprises a one-way hashing algorithm. 

16. A method according to claim 14 wherein said 
different function is a time-stamping procedure. 

17. A method according to claim 16 wherein said first 
function comprises a first one-way hashing algorithm 
and said different function comprises a different one- 
way hashing algorithm, 

18. A method according to claim 10 wherein: 

a) said first certificate is generated by applying to said 
digital representation at least first and second dif- 
ferent cryptographic functions; and 

b) said second certificate is generated by applying to 
said combination at least one cryptographic func- 
tion which is different from said first and second 
functions. 

19. A certificate authenticating a digital representa- 
tion of a document, said certificate consisting of a sec- 
ond certificate generated according to the method of 
claim 10. 

20. A certificate according to claim 19 wherein: 

a) said first certificate is generated by applying to said 
digital representation at least first and second dif- 
ferent cryptographic functions; and 

b) said second certificate is generated by applying to 
said combination at least one cryptographic func- 
tion which is different from said first and second 
functions. 
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